There are known redundancy techniques for guarding against malicious alterations of electronic message files such as electronic mail. A common method employed to determine whether a message has been altered in transit between the sender and recipient is to add message redundancy to the message file. Such redundancy may take the form of a cyclic redundancy check (CRC) or a hash of the message. In such systems, prior to transmission of the message from the sender's communication device, an encoder calculates a CRC or hash value based on the content of the message, and appends this value to the end of the message file. The message, together with the hash value, is then encrypted. The encrypted message with the appended CRC or hash value is then transmitted via a wireless or fixed-link network to the recipient's communication device.
When the message is received by the recipient's communication device, the message is decrypted. The CRC or hash value may then be found by the recipient's communication device at the end of the message. The recipient's communication device is able to calculate a CRC or hash value from the received message content, and then compares the calculated value with the redundancy value that was transmitted with the message. If the values match, then the message file is presumed to have been unaltered before receipt by the recipient's communication device. If the values do not match, then the message is determined to have been deliberately or accidentally altered.
The structure of such electronic message files is static; in other words, it is generally known that redundancy measures such as those described above append the CRC or hash value at the end of the message file. It is therefore possible for a party intercepting an electronic message before it is received by the message recipient to locate the redundancy value at the end of the intercepted message content. Once the redundancy value is located, an intercepting party may maliciously alter the content of the message while preserving the redundancy value. Alternatively, an intercepting party may alter the content of the message, recalculate the redundancy value, and replace the old hash value with the newly recalculated value. In such a case, the redundancy technique is rendered ineffective as the recipient is therefore unable to determine from the redundancy value comparison that the message has been tampered with when it is finally received by the recipient's communication device.
Accordingly, it is desirable to provide a method for adding redundancy checks to an electronic message such that deliberate tampering is discouraged, and is easier to detect.